Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.
AnalysisAI
Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.
Technical ContextAI
Shopper is a Laravel-based headless e-commerce admin panel that uses Livewire, a full-stack component framework that communicates via AJAX-like wire requests containing serialized component state. In Livewire, public PHP properties are two-way synchronized with the client by default - without the #[Locked] attribute, a client can freely rewrite any public property (such as productId) in the wire payload before it is processed server-side. The affected sub-form components (Edit, Inventory, Seo, Shipping, Files under Products/Form/) each exposed a store() method that persisted user-submitted data without calling any authorization gate (i.e., without checking the edit_products permission). The root cause is CWE-862 (Missing Authorization) - the code authenticated the session but never verified the caller's role before allowing state mutation. The CPE cpe:2.3:a:shopperlabs:shopper:*:*:*:*:*:*:*:* with an upper version bound of 2.8.0 covers all affected releases. The PR #511 fix adds the #[Locked] PHP attribute to resource ID properties (locking them server-side against client tampering) and inserts $this->authorize() calls in mutating methods to enforce Laravel permission gates.
RemediationAI
Upgrade shopperlabs/shopper to version 2.8.0 or later - this is the vendor-released patch confirmed by security advisory GHSA-h4mp-g9c6-xwph and implemented in PR #511 (https://github.com/shopperlabs/shopper/pull/511). The fix introduces the Livewire #[Locked] attribute on all resource ID properties to prevent client-side wire payload tampering, and adds $this->authorize() permission gate checks in store() and other mutating methods to enforce role-based access control. If an immediate upgrade to 2.8.0 is not feasible, restrict admin panel access exclusively to fully-trusted, high-privilege accounts as a compensating control - this eliminates the low-privilege escalation vector but does not remediate the underlying missing authorization flaw and may not be operationally acceptable in multi-role deployments. There is no known configuration toggle to disable the vulnerable Livewire components independently of disabling the product editor entirely.
Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenti
Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-priv
Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows an
Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthent
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33408
GHSA-h4mp-g9c6-xwph